|Re: [cross-project-issues-dev] [orbit-dev] log4j vulnerability in Eclipse?|
> However, I would vote for one feature per CVE, given 2 > reasons:I just don't know if it is possible to present the user with a list of (new) CVE features to suggest to install them.
I think one crucial part would be that the user is actively informed about new problems.
Anyways for sure we can add support for that in P2 and eclipse UI but that would require some code changes.
That's why I try to get creative how to archive something with existing codebase :-)
> I would expect that there is a chance of such a feature not being > installable on some installations due to conflicting requirements.Well that's actually the idea here, if there is a conflict P2 will suggest two solutions:
- uninstall the dangerous stuff and install the CVE mitigation - do not install the CVE mitigation and keep the current installation at least that's the theory ;-) Am 15.12.21 um 07:52 schrieb Michael Keppler:
Am 13.12.2021 um 18:03 schrieb Christoph Läubrich:yep that's what I have had in mind, I think it would be cool to have one global feature "CVE Mitigation" or something and this requires/includes individual CVE features that ship with appropriate p2.inf items. Thus way, once added to an IDE this will enable us to make CVE fixes available tor a broad audience and make people more aware of them through the update capabilities of eclipse itself.Sounds great. However, I would vote for one feature per CVE, given 2 reasons: Some companies are rather reluctant to change previously certified tool chains, and might want to include fix A, but not fix B (because they can explain why it does not affect them). I would expect that there is a chance of such a feature not being installable on some installations due to conflicting requirements. The more CVEs (and requirements) included, the higher that chance. It would be good if such conflict would not prohibit installing the other fixes. I might be wrong about this item. _______________________________________________ cross-project-issues-dev mailing list cross-project-issues-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/cross-project-issues-dev
Back to the top